{ config, pkgs, lib, ... }: with lib; let
  cfg = config.services.ssh-cert-dist;
  ca = if isStorePath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca;
in
{
  options.services.ssh-cert-dist = {
    enable = mkEnableOption "ssh-cert-dist";
    host = mkOption {
      type = types.str;
      default = "127.0.0.1";
    };
    port = mkOption {
      type = types.port;
      default = 6877;
    };
    package = mkOption {
      type = types.package;
      default = pkgs.ssh-cert-dist;
    };
    ca = mkOption {
      type = with types; either str path;
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/ssh-cert-dist";
    };
    user = mkOption {
      type = types.str;
      default = "cert-dist";
    };
    group = mkOption {
      type = types.str;
      default = "cert-dist";
    };
  };
  config = mkIf cfg.enable {
    users = {
      users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.group;
      };
      groups.${cfg.group} = { };

    };
    systemd.services.ssh-cert-dist = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStartPre = "+${pkgs.writeShellScript "pre-start" ''
          mkdir -p ${cfg.dataDir}
          chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
        ''}";
        User = cfg.user;
        ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${ca}";
      };
    };
  };
}